Which solution will meet these requirements?
Integrate the company’s third-party identity provider with API Gateway. Configure an API Gateway Lambda authorizer to validate tokens from the identity provider. Require the Lambda authorizer on all API routes. Update the web application to get tokens from the identity provider and include the tokens in the Authorization header when calling the API Gateway HTTP API.
Integrate the company’s third-party identity provider with AWS Directory Service. Configure Directory Service as an API Gateway authorizer to validate tokens from the identity provider. Require the Directory Service authorizer on all API routes. Configure AWS IAM Identity Center as a SAML 2.0 identity Provider. Configure the web application as a custom SAML 2.0 application.
Integrate the company’s third-party identity provider with AWS IAM Identity Center. Configure API Gateway to use IAM Identity Center for zero-configuration authentication and authorization. Update the web application to retrieve AWS Security Token Service (AWS STS) tokens from IAM Identity Center and include the tokens in the Authorization header when calling the API Gateway HTTP API.
Integrate the company’s third-party identity provider with AWS IAM Identity Center. Configure IAM users with permissions to call the API Gateway HTTP API. Update the web application to extract request parameters from the IAM users and include the parameters in the Authorization header when calling the API Gateway HTTP API.
Explanations:
This option correctly integrates the third-party identity provider with API Gateway using a Lambda authorizer. The Lambda authorizer will validate the OAuth tokens issued by the identity provider, ensuring that all API routes are protected. The web application is also correctly updated to obtain tokens and include them in the Authorization header, allowing for secure API access.
While integrating the third-party identity provider with AWS Directory Service is possible, it is not the correct approach for user authorization in this scenario. Using Directory Service as an API Gateway authorizer is not a standard practice, and configuring AWS IAM Identity Center as a SAML 2.0 identity provider adds unnecessary complexity without addressing the OAuth token requirement directly.
This option suggests using AWS IAM Identity Center for authentication, which is not aligned with the company’s existing use of a third-party identity provider that issues OAuth tokens. Retrieving AWS STS tokens from IAM Identity Center does not integrate the existing OAuth process, thus failing to meet the company’s requirements for a seamless user authorization experience.
This option incorrectly suggests integrating with AWS IAM Identity Center and configuring IAM users to call the API Gateway. This does not utilize the existing third-party identity provider effectively and introduces complexity in managing IAM users and request parameters instead of leveraging the OAuth tokens already provided by the identity provider.
I believe the answer is:
Integrate the company’s third-party identity provider with API Gateway. Configure an API Gateway Lambda authorizer to validate tokens from the identity provider. Require the Lambda authorizer on all API routes. Update the web application to get tokens from the identity provider and include the tokens in the Authorization header when calling the API Gateway HTTP API.